1 / 29

Getting Familiar with MBSA 1.2.1

lam
Télécharger la présentation

Getting Familiar with MBSA 1.2.1

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Getting Familiar with MBSA 1.2.1 Alfred Barker Gainesville College http://www.gc.peachnet.edu/it/abarker

    2. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Agenda Overall Features and Design Tool Overview Scanning / Performance SUS / SMS MBSA Details Limitations of MBSA v1.1.1 Whats new in MBSA v1.2.1 Scripting with MBSA v1.2.1

    3. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Overall Features and Design

    4. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Tool Overview Single executable that runs on Microsoft Windows 2000, Windows XP, and Windows Server 2003 (/hf local scan also works on Windows NT 4.0 SP4). Performs remote scans against Windows NT 4.0 SP4, Windows 2000, Windows XP, and Windows Server 2003 systems. Focused on agent-less assessment, tactical deployment, being easy to use and easy to take advantage of. Installer package contains: GUI (Mbsa.exe) Command-line interface (Mbsacli.exe) Latest version is 1.2.1, just released August 16, 2004. Prior version is 1.1.1 and 1.2, released June 2003 and January 2004.

    5. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. MBSA How it works*

    6. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scanning Two main engines MBSA engine for system configuration checks (about 60 different checks) HFNetChk engine for security update checks MBSA-style scan System configuration checks and missing security updates Offered through MBSA GUI (Mbsa.exe) or CLI (Mbsacli.exe) Individual XML scan report created for each computer Single threaded /hf style scan Only missing/installed security updates and SPs Offered through Mbsacli.exe using /hf switch Text output to screen or option to write text to file Multithreaded

    7. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scale/Performance

    8. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. SUS Support Perform security update by pointing to local SUS Server for approved updates. GUI: MBSA reads registry for SUS server info, or user types it in. Command line. Mbsacli.exe /sus http://mysusserver Mbsacli.exe /hf /sus http://mysusserver Scans for approved updates on SUS server instead of all available updates. Reads ApprovedItems.txt file through HTTP on SUS server.

    9. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. SMS Support Compatibility with SMS 2.0 Software Update Services Feature Pack and SMS 2003 Pushes /hf to each client to perform local scan (Mbsacli.exe /hf) Parses output SMS administrators can centrally distribute security updates to clients SMS 2003 is currently using MBSA v1.2

    10. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. MBSA Details

    11. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. MBSA v1.1.1 Limitations Note messages are displayed for patches that cant be confirmed Products that dont have detection MSXML for MS02-008 (multiple KBs for multiple versions) More than one patch for a single product targeted at a particular OS (Mssecure.xml schema limitation) DirectX 9.0 for Windows 2000, Windows XP, Windows Server 2003 for MS03-030 A version of an Internet Explorer 5.01 patch for Windows 2000 that differs from Internet Explorer 5.01 on Windows XP Sometimes can only check for registry key to determine if patch is installed Example: Common reg key for each Ntdll.dll version in MS03-007, whereas file version and checksums different When a non-security update overwrites files previously patched, MBSA flags the originally patched files as vulnerable. No localized file details to use for checksum data, except for English.

    12. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Whats New in the MBSA v1.2 Family UI Improvements Tool localization (JA, DE, FR) MSSecure.xml localization support (as available) Upgrade support and new version notification Revamped KB article 306460 (September 23, 2004) Complete list of products supported/unsupported Updated list of notes/warnings/product names Additional Products Office Detection Tool integration (local scans only) for Office 2000 and later Microsoft Data Access Components (MDAC), Microsoft XML Core Services (MSXML), Microsoft Virtual Machine (JVM), eBiz Detection Alternate file versions (AFiles) Added Configuration Checks

    13. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Upgrade Notification

    14. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Event Logging

    15. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Supported Products For Configuration Settings: Windows NT 4.0 SP4, Windows 2000, Windows XP, Windows Server 2003 Internet Information Services (IIS) 4.0, IIS 5.0, IIS 6.0 SQL Server 7.0, SQL Server 2000 Internet Explorer 5.01+ Office 2000, Office XP, Office 2003 For Security Updates: Windows NT 4.0 SP4, Windows 2000, Windows XP, Windows Server 2003 IIS 4.0, IIS 5.0, IIS 6.0 SQL Server 7.0, SQL Server 2000/ Microsoft Data Engine (MSDE) Internet Explorer 5.01+ Exchange 5.5, Exchange 2000, Exchange 2003 Windows Media Player 6.4+ Office 2000, Office XP, Office 2003 MSXML versions 2.5, 2.6, 3.0, 4.0 MDAC versions 2.5, 2.6, 2.7, 2.8 Microsoft Virtual Machine (JVM) Commerce Server 2000, Commerce Server 2002 Content Management Server 2001, Content Management Server 2002 BizTalk 2000, BizTalk 2002, BizTalk 2004 Host Integration Server 2000, Host Integration Server 2004 (+SNA Server 4.0)

    16. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Alternate File Versions OR logic to consider multiple sets of file details. Handle case of non-security overwriting security updates. A bulletin can have multiple patches for products targeted at different operating systems. Handle uniproc or multiproc patches, QFE/GDR branches KB 824994 (Quick Fix Engineering / General Distribution Release) Detection Checks the list of alternate files: if none match, the missing patch message will reflect the file version of the first file entry listed in MSSecure (whether it be a FileChangeID or AFileChangeID). Alternate files are listed as AFileChangeID. MBSA 1.1.1 ignores AFileChangeID entries and only recognizes FileChangeID entries. Maximizes backward compatibility with MBSA v1.1.1 until customers upgrade.

    17. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Alternate File Versions in Detail

    18. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Other Improvements File version checks on Multilingual User Interface (MUI) systems Fixes bug where MBSA detected wrong file version numbers on systems using MUI Issue was known problem with GetFileVersionInfo API on Windows 2000 systems Guest account check Fixed bug where ForceGuest registry key wasnt checked (Guest account enabled is only flagged if simple file sharing isnt used and if ForceGuest isnt enabled KB 290403) Internet Explorer custom zone interpretation MBSA now interprets custom zone settings and compares to recommended default zone level settings Event logging (with a link to Help and Support) Outlook zone check collapsed into Internet Explorer zone check and Office macro check

    19. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Additional Checks New to v 1.2.1 Internet Connection Firewall (ICF) Check performed on local computer scans only List each network connection with ICF status (disabled/ enabled and if inbound ports are open) No listing of which ports are open Automatic Updates (AU) Check performed on both local and remote machines MBSA flags if AU is not enabled, or if it is enabled but not configured to automatically download and install Internet Explorer Enhanced Security Configuration (Internet Explorer hardening) Check performed on Windows Server 2003 only Checks if IEESC is enabled for admins and non-admins

    20. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Details on Localized Patch Scans MSSecure.cab files MBSA tries to download .cab file that matches operating system language of scanned computer (so patch data will match operating system). If that fails, MBSA will look in the local folder for a previously downloaded copy of this .cab file. If that fails, MBSA will fall back to using the English file. Language of scanned computer determines if checksum checks are performed. If operating system language of the scanned computer matches the MSSecure file language being used in the scan, then checksum checks will be performed. Explicitly calling /sum or /nosum will force or prevent the use of checksums

    21. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Office Update Scans Integrated Office Update Inventory Tool 2.1 Office updates checked on local computer scans only, no remote checking Office tool downloads separate Office update database files (similar to HFNetChk downloading Mssecure.cab) Offline scanning uses similar workaround for getting detection catalog onto scanning computer Scanning limitations described in following support article: MBSA Version 1.2 Support for Microsoft Office Products http://go.microsoft.com/fwlink/?LinkId=19025 http://www.microsoft.com/technet/security/tools.mbsaqa.mspx Users running mbsacli.exe /hf will not receive an Office updates scan Office detection logic not in HFNetChk Office patch data not in Mssecure.xml

    22. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Default Scan Options MBSA scan (GUI) Uses -baseline, -v, -nosum -baseline aligns with Windows Update (WU) critical security updates By default, notes and warnings are still shown Checksum checks not performed (to match WU) MBSA scan (Mbsacli.exe) Uses -sum Checksum checks performed By default, notes and warnings are still shown HFNetChk scan (Mbsacli.exe /hf) Uses -sum Checksum checks performed Notes and warnings still shown by default

    23. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Requirements XML Parser (MSXML version 3.0 or later with latest SP go.microsoft.com/fwlink/?Linkid-16533 Required Services: Computer being scanned locally Workstation Service Server Service World Wide Web Service for IIS Vulnerability Checks Computer that is running MBSA that performs remote scans Workstation service Client for Microsoft Networks Computer being remotely scanned Server service Remote registry service File and Print Sharing

    24. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Requirements (2) IIS Common Files (required on local computer when scanning remote IIS computers) Firewall Ports Port 80 (HTTP) Outbound from scanning computer Needed to download Mssecure.xml file TCP 139, 445 Inbound to scanned computer(s) Needed to scan remote computers UDP 137, 138 To authenticate to remote computer User must be running as Local Administrator for scanning

    25. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scan Connections MBSA-style scans MBSA will try to verify each machine account NetWkstaGetInfo() - Windows for Workgroups LookupAccountName Win32 API Gethostbyaddr Windows Socket Function HFNetChk-style scans HF engine looks for two IP ports (TCP 139, 445) required for scanning on each computer. Scan will fail if engine cannot connect to the ports. This does not rely on ICMP.

    26. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scripting with MBSA v1.2.1

    27. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scripting with MBSA v1.2.1 Scripts for leveraging MBSA into other solutions: Enable large-scale scanning and enable low-rights end-users to check their own compliance without calling the helpdesk Scan an unlimited number of computers or IP addresses from an input file Roll up the results across many reports into a single summary based on one or more bulletin IDs or check IDs More info (available upon release): www.microsoft.com/technet/security/tools/mbsahome.mspx

    28. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Scripting with MBSA v1.2.1 (2) Sample of rolling up the results across many reports into a single summary: Open the resulting XML file in Internet Explorer:

    29. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. Questions? Caveats MSSecure.xml not publicly supported MSSecure.xml only supported for MBSA Classic File Sharing Supported PowerPoint, Scripts, and Notes: http://www.gc.peachnet.edu/it/abarker Thank YOU!

    30. 2004. www.gc.peachnet.edu/it/abarker. All rights reserved. MBSA Support MBSA public newsgroup News server: msnews.microsoft.com Newsgroup: microsoft.public.security.baseline_analyzer Internet resources Home page http://www.microsoft.com/technet/security/tools/mbsahome.mspx FAQ http://www.microsoft.com/technet/security/tools/mbsaqa.mspx Technical white paper http://www.microsoft.com/technet/security/tools/mbsawp.mspx 320454 (main MBSA KB article) 306460 (note messages KB article) Scripting with the Microsoft Baseline Security Analyzer v 1.2 http://www.microsoft.com/technet/security/tools/mbsascript.mspx MBSA Version 1.2 Support for Microsoft Office Products http://www.microsoft.com/en-us/assistance/HA010884161033.aspx

More Related